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Abstract — This paper presents a random coding scheme with 
which two nodes can exchange information with guaranteed 
integrity over a two-way Byzantine relay. This coding scheme 
is employed to obtain an inner bound on the capacity region 
with guaranteed information integrity. No pre-shared secret or 
secret transmission is needed for the proposed scheme. Hence 
the inner bound obtained is generally larger than those achieved 
based on secret transmission schemes. This approach advocates 
the separation of supporting information integrity and secrecy. 



I. Introduction 

In order for two parties to communicate through an in- 
termediary node, it is required that the intermediary (hereto 
referred to as a relay) must faithfully forward the information. 
In a communication network, such cooperative behavior is 
not guaranteed as relays may have reasons for forwarding 
false information in order to fool the intended participants. 
Such attacks, oft referred to as Byzantine attacks, have major 
ramifications on protocols that operate within the network. For 
instance, Maurer |1 1 addressed the need for authentication in 
order to support secret key agreement in a simple two-node 
system with an active eavesdropper. In much the same way, 
integrity of information must be guaranteed for larger systems 
to ensure secrecy. The genesis of this problem has roots in 
cryptography |2| where codes like fSl, f4] have been studied as 
a means of determining Byzantine attacks, while more recent 
work has focused on the integrity of a network using linear 
network coding f5l, f6l, as well as the study of using coding to 
determine manipulation in basic channels which are supported 
by a relay Q, ISl. 

Historically this problem of guaranteeing information in- 
tegrity is treated by the use of a non-observable key to add 
redundancy to information that allows attack detection. In 0, 
the problem, originally motivated by a dishonest gambling 
pit boss, was studied with use of planar codes and random 
codes. While in |4|, Cramer et al. show that any random 
linear transformation into a space of greater dimension is with 
high probability invertible. Thus if one were to modify the 
transformation or the symbols, it is with high probability that 
the modified sequence would not be one corresponding to 
any valid input sequence. The resulting codes are known as 
algebraic manipulation detection (AMD) codes. 

In order to extend these ideas to the physical layer, addi- 
tional redundancy is required to cope with the possibility of 
channel errors. Mao and Wu | 8 1 posed the problem of trying 



to determine which relay in a multiple relay two-hop network 
was manipulating the data. A cross-layer method is set forth in 
which a cryptographic key is inserted into the signal, by which 
the intended destination determines from the physical layer 
error rate if manipulation has occurred. In slight contrast, the 
more recent work of He and Yener |7 1, mainly focused on the 
problem in the two-way two-hop channel studied in this paper, 
does not require use of a shared secret key. Instead, an LDPC 
code is employed to support secret transmission which in turns 
allows the use of an AMD code to detect attacks by the relay 
key. The major drawback of this solution is not separating the 
need for secrecy and integrity. As a result, it does not provide 
a deeper understanding of what is actually needed to support 
the two different requirements, making extensions to beyond 
the addition channel considered in |7 1 difficult. 

In contrast we propose a different strategy by separating the 
concepts of secrecy and integrity to ensure that communication 
can be verified without use of any key or any secret transmis- 
sion. Using random coding techniques, we obtain an inner 
bound on the capacity region with guaranteed information 
integrity in the general scenario of two nodes which must 
communicate through a Byzantine relay node. Section |ll| 
describes the channel model in detail. The inner bound on 
the capacity region with guaranteed information integrity is 



provided in Section III An outline of the achievability proof 
that leads to the inner bound is given in Section Tvl The 



notation employed in the paper is summarized in Table 



II. Two-way Amplify- and-forward Relay Model 

Consider the two-way, half-duplex relay channel model 
shown in Fig.[T] in which two nodes (1 and 2) simultaneously 
send symbols to a relay node through a discrete, memoryless 
multiple-access channel (MAC). The half-duplex relay node 
is then supposed to broadcast its received symbols back to 
the two nodes in the amplify-and-forward (AF) manner. For 
simplicity, we assume that the broadcast channel (BC) from 
the relay back to the nodes is perfect. That is, both nodes 
perfectly observe the symbols sent out by the relay. There 
is some possibility that the relay may modify its received 
symbols in an attempt to conduct a manipulation attack. The 
design goal is for each node to at least detect any malicious act 
of the relay in the event that it can not decode the information 
sent by the other node; in other word, to guarantee the integrity 
of the information forwarded by the relay. 
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Fig. 1: Two-way, half-duplex, amplify- and-forward relay 
model. 

TABLE I: Notation 



X 


random variable 


X G A' 


the element x from the alphabet of X 




n instances of random variable X over A' 


AA(x|a;^) 


number of times x occurs in 


Pa.-(x) 






PyT, (y) 




{Px- : |Px-(x)-P(x)| <S} 




{x^ : P^r. G [X]-} 


Px\Y{^\y) 


cond. pmf of X given Y; also treated as a matrix 




indicator function 



More specifically, let A'l, A'2, and Z// denote the discrete 
alphabets of node I's input, node 2's input, and the output of 
the MAC. Over time instants 1, 2, . . . , n, suppose that nodes 1 
and 2 transmit the symbol sequences and ^2 , respectively, 
through the memory less MAC. The output sequence U"^ is 
conditionally distributed according to 



p{u''\x'l,X^) = Y[Pu\X^,X2{Ui\xi,i,X2,i) 



(1) 



where the conditional pmf Pt/|Xi,X2 (u|xi, X2) specifies the 
MAC. The relay node, during time instants 1, 2, . . . ,n, ob- 
serves the output symbol sequence of the MAC, processes 
(or manipulates) it, and then broadcasts the processed symbol 
sequence to nodes 1 and 2 at time instants n + l,n + 2,...,2n 
via the perfect BC. Let V be the alphabet of the relay's 
processed symbols. Because the relay is supposed to work in 
the AF manner, there must be a one-to-one correspondence 
between the elements of U and V. Thus, without loss of 
generality, we may assume that V = U. Let denote 
the relay's output sequence. The assumption of perfect BC 
from the relay to the nodes implies that = 3^2 = 



Yi\V 



Y2\V 



L and 



p{y^.y^\vn = Hyi=y2=vn' 



(2) 



For convenience hereafter, we simply make the symbol 



sequence observed by both nodes. 

Fix n. Let Ri and R2 be two positive rates. Consider the 
encoder-decoder quadruple (C^^ , C2 , ^1 , ^2 ) • 

C^^ : {l,2,...,2^^i} ^ 
: {1,2,...,2^^2} ^ 

g'l'.W X {1,2,..., 2^^^} {1,2,...,2^^2}U{!} 
g^:W X {1,2,...,2^^2} ^ {1, 2, . . . , 2^^^} U {!} 

where and are the encoder and decoder used by node 1, 
and C2 and ^2 the encoder and decoder used by node 2. 
Note that we allow the encoders C^^ and C2 to be random. The 
symbol ! in the decoder output alphabets denotes the decision 
that the received sequence is deemed untrustworthy, i.e., the 
relay has possibly been malicious. Let Wi and W2 be indepen- 
dent messages of nodes 1 and 2 that are uniformly distributed 
over {1,2,..., 2^^^ } and {1, 2, ... , 2^^^ }^ respectively. Then 
Xf = Cy(V^i) and = C^{W2) are the codewords sent 
by nodes 1 and 2 to the relay through the MAC. 

The potential manipulation by the relay is specified by the 
conditional distribution of given the other random quan- 
tities mentioned above. We impose the Markovity restriction 
on the conditional distribution that 

x^,x^, wuW2^ c^) = c^) (3) 

which means that the relay may potentially manipulate the 
transmission based only on the output symbols of the MAC 
that it observes as well as its knowledge about the codebooks 
used by the nodes. If cj, C2 ) = 1 ('^^ = u'^), then 

we regard the relay as non-malicious. Otherwise the relay is 
malicious. For later presentation clarity, we will employ Hi 
and Ho to denote the conditions that the relay is and is not 
malicious, respectively. 

With the scheduling and coding scheme described above, we 
say that the rate pair (i?i,i?2) is achievable with guaranteed 
information integrity if there exists a sequence of encoder- 
decoder quadruples {(CJ, C2 , ^1 , ^2 )} ^^^h that: 

Under Hq : 

Pr {g^{V^, Wi) + W2^ g^{V^, W2)7^Wi}^0 
Under Hi : 

Pr {g^V^, Wi) i {W2^ !} U g^iy^^ , W2) ^ {Wi, !}} ^ 

as n 00. Note that the requirement under Hi forces 
the decoders to either detect the substitution attack by the 
relay or correct the symbols modified. The capacity region 
with guaranteed information integrity in this case can then 
be defined as the closure of the set of achievable rate pairs 
with guaranteed information integrity. Note that we have not 
counted the use of the perfect BC from the relay back to the 
nodes in the rate definition above. If that is to be counted, the 
factor of 0.5 should be added to all rates because the fixed 
transmission schedule descrived above. 

Note that from ([T]), ([2]), and ([3j, the joint distribution of 



(l/^,[/^,Xf,X5^,VI^i,V^2,C^C^) is given by 



ii^, x^, x^, ^1, ^2, c?, 4) 

•l(c^K)=^^)pK)pK)p(c^c^). (4) 

III. Inner bound on capacity region 

Under the operational definition of information transfer with 
guaranteed integrity given in Section [Ilj it turns out that 
the matrix-algebraic structure of manipulahility given in |9 | 
is critical to our inner bound on the capacity region. For 
easy reference, we repeat the definition of manipulahility for 
node I's observation channel specified by the stochastic matrix 
pair {Pu\x^-,Pyi\v) in th^ notation of this paper: 

Definition 1. The observation channel {Pu\Xi-,Pyi\v) 
manipulable if there exists a \U\ x \U\ non-zero matrix T, 
whose jth column, for each j = 1, 2, . . . , is balanced 
and {0^0) -polarized at j, with the property that all columns 
ofTPu^Xi the right null space of Py^iv- Otherwise, 

{Pu\Xi^ Pyi\v) is s(^id to be non-manipulable. 

Manipulahility of node 2's observation channel 

{Pu\X2^Py2\v) is the same. 

Theorem 1. An inner bound on the capacity region with 
guaranteed information integrity is the closure of the convex 
hull of all (i?i,i?2) satisfying 

Ri < I{Xi;U\X2) 
R2 < I{X2;U\X,) 

for some 

^C/,Xi,X2(u,Xi,X2) = Pf/|Xi,X2(u|xi,X2)Pxi(xi)Px2(x2) 

having the property that {Pjj^xnl) (^nd {Pu\x2i^) ^^^^ 
non-manipulable. 

Note that the difference between the above region and the 
standard capacity region (without guaranteed integrity) is that 
the former does not contain the rate pairs generated by input 
distributions that do not give non-manipulable observation 
channels while the latter does. 

Let us apply Theorem [T] to the simple example two-way AF 
relay channel made up of a binary erasure MAC 1 10| and a 
perfect BC. That is, Xi and X2 have the same binary alphabet 
{0, 1}. The MAC is described by = Xi + X2. Hence the 
alphabet of U and V are both {0, 1,2}. The BC is defined 
by Yi = y and I2 V, and Py^\v Py2\v P Let 
Pxi (1) = P and Pxi (1) = q, where < p^q < 1. Then 

/1-q \ /1-p 

Pu\x, = q 1 - ^ Pu\x2 = p 1 - p 

\ q J \ p 

It is not hard to check |9, Thm. 2] that both {Pu\Xi,I) and 
{Pu\X2^^) non-manipulable for all choices of p and q. 
Thus the inner bound in Theorem [T] implies that the capacity 
regions with and without guaranteed information integrity are 
identical as shown by the thick-lined square region in Fig. |2j 
and can be achieved by choosing both Xi and X2 to be equally 
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Fig. 2: Capacity region with guaranteed information integrity 
of the two-way AF relay channel with a binary erasure MAC 
and a perfect BC. 



likely binary random variables. With this choice of input 
distributions, the shaded area shown in Fig. [2] is the capacity 
region of the binary erasure MAC channel, treating the relay 
as the MAC receiver. From the achievability argument in 



Section IV to guarantee integrity while operating in the shaded 
region, we need randomization in the encoders to move the 
operating point up to the unshaded triangular portion of the 
capacity region. Physically, this means that we need to confuse 
the relay from decoding both nodes' messages. Note that for 
this two-way relay channel, uncoded transmission can achieve 
capacity without guaranteed information integrity, while coded 
transmission is needed in order to achieve capacity with 
guaranteed information integrity. We point out that this two- 
way relay channel is also considered in |7|, our result shows 
that attack detection can be indeed achieved without secrecy. 

IV. Outline of Achievability 

We employ the standard random coding argument to show 
that the probabilities of both error events under Hq and 
Hi employed in the definition of achievable rate pairs in 
Section [llj averaged over all random codebooks, converge to 
zero as n increases under the conditions stated in Theorem [T] 
Then the existence of a codebook pair (and the corresponding 
decoding functions) having the same property is guaranteed. 

A. Code Construction 

Fix Pxi(xi) and Px2(x2) that satisfy the condition 
of non-manipulable (Pf/|Xi,^) and {Pu\x2^^)- It can 
then be shown that I{Xi;U) < I{Xi;U\X2) and 
I{X2',U) < I{X2;U\Xi). If I{Xi',U) < Ri < 
/(Xi;/7|X2), I{X2;U) < R2 < /(X2;/7|Xi), and Ri + 
R2 > /(Xi,X2;/7), independently and uniformly pick 
2nRi codewords C?(l), C?(2), . . . , Cy(2^^i) from the typ- 
ical set P[Xi]^ ' where {Sn} satisfies the delta conven- 
tion set forth in ifTTI . Similarly, pick 2^^^ codewords 
C^(1),C^(2),...,C^(2^^2) from the typical set T^^^^ . 

Instantiations of and C2 define the deterministic encoding 
functions for nodes 1 and 2, respectively. If i?2) does not 
satisfy the above conditions, choose another pair {R[^R2), 
with R[ > Ri and R2 > R2, that does. Randomly pick 2^^i 
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and 2"^^2 codewords from T^t ^ and Tr^ n as above to 
form codebooks for nodes 1 and 2, respectively. Pick inde- 
pendent (of all other random quantities) random numbers W[ 
uniformly from {l,2,...,2^^^i~^i^} and W2 uniformly from 
{1,2,...,2^'^^2-^2)| xhen employ the random encoding 

function which maps Wi to {{Wi - 1)2^(^1-^1) ^ 
and the random encoding function which maps W2 to 
((W2 - 1)2^(^2-^2) + ly^y Clearly if we can decode 
to (VI^i - 1)2^(^1-^1) ^ ly/^ we can also obtain V^i, and 
if we can decode to (W2 — 1)2^(^2-^2) ^ can also 

obtain W2- Therefore, we may simply assume below i?2) 
satisfy I{Xi;U) < Ri < I{Xi;U\X2), I{X2;U) < R2 < 
/(X2; U\Xi), and Ri ^ R2 > /(Xi, X2; t/), and employ the 
deterministic encoders without loss of any generality. 

For a fixed codebook pair (0^,02), nodes 1 employs (and 
symmetrically for node 2) the following typicality decoder: 

W2 if K,c?(«;i),c?(«;2)) e Tr^u,x,,x,], 
and there is no W2 7^ W2 such that 

! otherwise, 

where jin is a function of and the alphabets U, Xi, and X2, 
and ^ will be specified later. Both /i^ and Vn satisfy 
the delta convention. Below we will also make use of /i^, /i^, 
jln, and jln, which are all constant multiples of jin- 

B. Error analysis under Hq 

Under this case, we have = U^. Because of 

symmetry and the union bound, it suffices to consider 
Viig^Hy, Wi)^W2}.To that end, define 

respectively. Then 

Pr K(/7-, W^) ^ W2} < Pr{/7^ ^ U{C^^{W^), C^(I^2))} 

+ Pr G UiC'liWi), C^{W2)) 

nV2.JC^(iyi); 1^2,0^)}. (5) 

It remains to show that both probabilities on the right hand 
side of ([5]) converge to zero as n ^ 00. 

By the combination of Problem 2.9], ([TJ, and ifTTl 
Lemma 2.12], it is shown that 

Vr{U^ ^U{C^^(W^),C^(W2))} 

< (n + l)2|'^^ll'^2l2-"^- +2|ZY||A'i||A'2|e-2^'^'. (6) 

Additionally, using the standard argument (cf. |10, Ch. 7]), 
based on the fact that the codewords in the codebooks are 
chosen independently, it is easy to establish 

Vt{U^ e U{C^{Wi), C^{W2)) n V2u^ (CUWi)', W2^ C^)} 

^ 2-n[IiX2;U\Xi)-R2-er,]^ 

for some ^ 0. 



C. Error analysis under Hi 

Again by symmetry and the union bound, it suffices to show 
that Pr{^f (y^, Wi) ^ {W2, !}} vanishes as n increases. Al- 
lowing An to be set later, define 

El = {(ii",^") : mini (Xi; V\U^ > A^} 
E2 = {K,^") : mini (Xi; V\U^ < A,} 

where for each pair of {u'^^v'^), the minimization of mutual 
information above is over all triples (Xi^U^V) of random 
variables, which respectively take values over A'l, U, and U, 
and have distributions satisfying the following constraints: 



^c/y(u,v) = Pn-^-(u,v) 



(7) 



Note that for (ix^,v^) G E2, mmI{X;V\U) < A^. To 
simplify notation, let (X, /7, F) be the choice that achieves the 
minimum. Then by the Pinsker inequality 111 01 Lemma 11.6.1], 
there exists a constant k such that 



^y|f/(v|u) -i^y|f/,Xi(v|u,xi) 



< k\/\r,,. 



This inequality itself also implies that there exists another 
constant k' such that 



Xl^v|c/(v|^)^f/|Xi(^|xi) - Pf/|Xi(v|xi) 



< k'^K,- 



This situation though is analyzed in f9l, and can be 
shown to imply that there exists another scalar k" 
giving Py|^(v|u) — 1 (v = u) < k" y/e, provided that 
(Pf/|Xi,^) is non-manipulable. Consequently, it can 
be shown that (^-, c?(^i), €^(^2)) G 

if vP" e U{ci{wi)^C2{w2)), for some constant k. 
By setting, Vn = kyO^^, we can conclude that 
{[/^ e Ui^liWi), C^(V^2)), (t/^, V^) e E2} is not 
an error event under Hi. Therefore we can bound 
Pr {gUV"^ Wi) ^ {W2, !}} as below: 

PrK(FM^i)^{l^2,!}} 

<MU'' ^u{cuwi),c^{W2))} 

-^Ft{U^ eU{C^{Wi),C^{W2))^ 

eV2^ACUWi);W2,C^), {U^,V^)eEi} (8) 

The probability Pr{/7^ ^ U (CKWi), C^(V^2))} has been 
shown to vanish above (cf. ([6])). It thus remains to show that 
the second probability on the right hand side of ^ decreases 
to zero as n ^ 00. 
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To that end, define the following sets for convenience: 
Qi(M",t;";c?) 

Q2(w",t^";c?,4) 

^ {wr : c^w,) e T[l^|^,;,^]^, (w",c5(«;2))} • 

By (TT] Problem 2.10], there exists Cn satisfying the delta 
convention that 



<^ 2^[max//(Xi|c/,y)+Cr^ 



where Xi, /7, F are restricted to distributions that satisfy (|7]). 
Through judicious use of this and |11, p. 409, Lemma 17.9], 
the following bounds can be shown: 



n[|it:i-min/(Xi;C/,V')| 



Pr||QiK,^^;C-)| >72 
Prl |Q2K,^";C-,C^)|> 



+1+ 



72 



n fl2-/(X2;lf|Xi) + LRi-min/(Xi;;7,V)r +Cn+3e 



|«2-^(^2;«^l^l) + |-Rl-min/(Xi;!7,V)|+|^+Cn+3en] 



Pr <^ max |Q3(w^2; u"; C?, C5)| > 72 

<^ g-a(7)22"^-+ni?2ln2 



2ne, 



} 



for any 7 > 1 and (7(7) = 7 In 7 — 7 + 1. Hence all the three 
probabilities above can be bounded by the double exponential 
term e"^'^^^^'"'"' for some with the property that ne'^ 00. 
Using this and (|4]), we can bound 

Pr|/7" gZY(C^(I^i), 0^(1^2)), 

e V2^. (C? (I^i); 1^2, C^), (t/", G ^1 

• I Q2K, c?, 4)1 • max 1 23(^2; u^; c?, c^) | p(c?, 4) 



<^ 2-^[^(^l^i^2)+i?i+i?2-e^]|2^[2^(f^)+2er.] . 3^-^(7)2" 



1 + 1 + 



^ n LR2-/(X2;t/|Xi) + LRi-min/(Xi;t/,y)r +a+5e 



< 3e-^(^)2"'^+^[^(t^)+^(^i.^2;t/)-i?i-i?2+3e^]ln2 

^ ^22-n[i?i+i?2-/(Xi,X2;t/)-a-Te^] ^ ^22-n[A^-a-8e^] ^ 

Hence by setting = 2(n + Se^, the upper bound vanishes. 

V. Conclusion 

We have presented an inner bound on the capacity region of 
which two nodes can exchange information with guaranteed 
integrity through a two-way Byzantine relay. The inner bound 
is specified by the non-manipulability property of the channel. 
The coding scheme that achieves the bound requires neither 
any pre-shared secret nor secret transmission. As a result, the 
inner bound is generally larger than any achievable region 
that is obtained based on secret transmission. We believe 
that the inner bound is in fact the capacity region with 
guaranteed information integrity. We will prove this converse 
statement in an upcoming paper. Finally we point out that the 
coding scheme described can be easily modified to support the 
additional requirement of secret transmission. 
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